CVE-2025-14882 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting pretix-offlinesales version 1.12.0. The flaw exists in an API endpoint that grants access to sensitive files based solely on the knowledge of a file's UUID, without verifying whether the requesting user is authorized to access that file. This means that if an attacker can guess or obtain the UUID of a file belonging to another user, they can retrieve sensitive information not intended for them. The vulnerability stems from improper access control mechanisms where the system trusts user-supplied identifiers without additional authorization validation. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), partial authentication required (PR:L), no user interaction (UI:N), and high impact on confidentiality (VC:H) but no impact on integrity or availability. No known exploits have been reported, and no official patches are available at the time of publication. This vulnerability could be exploited by authenticated users with limited privileges to access other users' sensitive files, potentially leading to data leakage. The flaw highlights the importance of robust authorization checks beyond mere possession of resource identifiers in API design.

For European organizations using pretix-offlinesales 1.12.0, this vulnerability poses a risk of unauthorized data disclosure, potentially exposing sensitive customer or event-related information. This could lead to privacy violations under GDPR, reputational damage, and loss of customer trust. Although the vulnerability does not affect system integrity or availability, the confidentiality breach could have legal and compliance ramifications, especially for organizations handling personal data. Event organizers, ticketing platforms, and related service providers in Europe relying on pretix-offlinesales may face targeted exploitation attempts if attackers can enumerate UUIDs. The impact is more pronounced in sectors with strict data protection requirements and high volumes of sensitive transactions. Since exploitation requires some authentication, insider threats or compromised accounts could leverage this flaw to escalate data access. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed.

European organizations should immediately audit their pretix-offlinesales deployments to identify if version 1.12.0 is in use. Until an official patch is released, implement strict access controls at the API gateway or web application firewall level to restrict access to the vulnerable endpoint. Employ rate limiting and monitoring to detect unusual access patterns or attempts to enumerate UUIDs. Enforce the principle of least privilege for user accounts to minimize the risk from compromised credentials. Review and enhance authorization logic to ensure that access to files requires verification of user ownership or explicit permissions beyond UUID possession. Consider temporarily disabling or restricting the affected API endpoint if feasible. Maintain detailed logs of API access for forensic analysis. Engage with the pretix vendor or community for updates and patches. Finally, educate staff about the risks of credential compromise and monitor for suspicious activity related to file access.